Microsoft 365 accounts — a critical piece of the digital infrastructure of thousands of companies — are being the subject of a new and dangerous wave of phishing attacks. This time the attackers don't want you to enter your password directly, but rather they trick you into granting permissions to malicious applications through OAuth, allowing them to access your resources without needing to know your credentials.

Unlike traditional phishing that attempts to steal a username and password, this approach exploits trust in the application authorization process: if you consent without verifying, you're opening the door for yourself.

This type of attack exploits a human and procedural vulnerability, not a technical flaw itself, and that is why it is so difficult to detect without adequate awareness and controls.

How the attack works

In this campaign, attackers send emails with links that appear legitimate (for example, invitations to documents or collaboration notifications). Upon clicking, the user is redirected to a consent page that mimics Microsoft 365.

If the user approves the requested permissions — for example, access to email, files or profiles — the malicious application is authorized. From then on, attackers can:

  • Read and send emails from the compromised account
  • Access files on OneDrive or SharePoint
  • Use permissions to move laterally within the organization

All this without the user having entered their password on a fraudulent page.

Why this approach is so effective

This isn't traditional phishing. There's no need to “hack” the password when you can manipulate the user into giving up access voluntarily.

It works because:

  • OAuth's legitimate consent flow trusts that the user knows what they are authorizing
  • The link may appear to be a legitimate corporate resource
  • Many people approve permissions without verifying the actual reach.

Attackers have understood that credentials aren't always the target; sometimes they're just the key that the user himself hands over.

How to defend yourself

  • Carefully review the requested permissions: Before approving an application, verify who is requesting it and what data or actions they are asking for access.
  • Implement application consent policies: Limit what applications can be authorized and who can approve them within your organization.
  • Activate suspicious activity alerts: Configure monitoring to detect and block unauthorized applications.
  • Educate your users: It empowers teams to recognize when an OAuth request is legitimate or potentially malicious.

Protect your digital identities before it's too late

OAuth-based attacks demonstrate that cybercriminals are migrating from traditional techniques to others that exploit legitimate authorization flows to gain persistent access without breaking passwords.

At Apolo Cybersecurity, we help you strengthen the security of your digital environment from the root: we audit and strengthen application consent policies, implement access and verification controls at multiple levels, train your teams to detect and stop attacks based on social engineering, and we design specific defenses to prevent phishing.

Prev Post
Next Post

Any questions?
We're happy to help!

CONTACT US TODAY!
info@apolocybersecurity.com
Data Controller: Apolo Analytics SL
Purpose: To process your request and respond to your message.
Legal Basis: Consent of the interested party upon submitting the form.
Recipients: Data will not be transferred to third parties, except under legal obligation.
Rights: You may exercise your rights of access, rectification, and deletion, among others, by sending an email to secretaria@apolocybersecurity.Com.
Additionall information: You can view the full information on our Privacy Policy.

Thank you!

Your message has been successfully received.
Oops! Something went wrong when submitting the form.
We are waiting for you!
Schedule a call
Project photo
send us an email
Project photo
+34 937948378
Project photo
Carrer de Sant Joan de la Salle 42, Barcelona, spain
Project photo
FAQScontactTERMS AND CONDITIONSWork with Us
Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
LEGAL NOTICEPRIVACY POLICYCookies
Privacy Settings
Copyright © 2025 Apollo Cybersecurity